Configure the Passkeys (FIDO2 WebAuthn) access controls

Manage Passkeys (FIDO2 WebAuthn) authenticators and policies.

User verification

This adds an extra check, like a fingerprint, face scan, or device PIN, to verify the user. This check happens on the user's device, so their biometric data never leaves it.

  • You can also require this in your app sign-in policies and Okta account management policy rules. If settings conflict, the most secure option is always used.

  • If Create passkeys is enabled, setting user verification to Discouraged for both Enrollment and Authentication may prevent passkey credentials from being released on some browsers.

Enrollment

Select one of the following options. This applies when a user creates a passkey.

  • Required: Users are prompted for a fingerprint, face scan, or PIN to create a passkey. If their device can't do this, enrollment fails.

  • Preferred (default): Users are prompted for a fingerprint, face scan, or PIN. They can still enroll if their device doesn't support these functions.

  • Discouraged: Users aren't asked to verify. Use this only when another sign-in step provides enough security.

    Some browsers and authenticators ignore this setting.

Authentication

Select one of the following options. This applies when a user signs in with a passkey.

  • Required: Users are prompted for their fingerprint, face scan, or PIN every time they sign in. This is the most secure option.

  • Preferred (default): Users are prompted for a fingerprint, face scan, or PIN. They can still sign in if their device doesn't support these functions.

  • Discouraged: Users aren't asked for verification when they sign in. This is the fastest method for users, but provides less security.

    Some browsers and authenticators ignore this setting.

Block synced passkeys

Passkeys enable you to back up WebAuthn credentials and syncs them across devices. Passkeys use the strong key-based or non-phishable authentication model of Passkeys (FIDO2 WebAuthn). However, they don't have some enterprise security features, such as device-bound keys and attestations, which are available with some Passkeys (FIDO2 WebAuthn) authenticators.

In managed-device environments, users may be able to enroll unmanaged devices with a passkey and use these devices to authenticate. Okta allows you to block the use of syncable passkeys for new Passkeys (FIDO2 WebAuthn) enrollments for your entire org. When this feature is turned on, users can't enroll new, unmanaged devices using pre-registered passkeys. Passkeys on Chrome on macOS are device-bound and aren't blocked.

To block synced passkeys, toggle on Block synced passkeys.

If your org has the Block synced passkeys for FIDO2 (WebAuthn) Authenticators Early Access feature enabled, this toggle is read-only unless you disable the feature.

This isn't an attestation-based check. Some authenticators may claim to create device-bound keys when they're actually syncable. This setting blocks authenticators that are known to create syncable passkeys, such as those that are stored in password managers like Google Password Manager, iCloud Keychain, and 1Password.

Required characteristics

You can require certificate-based attestation validation for the Passkeys (FIDO2 WebAuthn) authenticator. When enabled, the provided authenticator's certificate must be validated against the associated certificate in the FIDO MDS or a custom AAGUID validation certificate that's uploaded by the Okta admin.

These options apply to both enrollment and authentication.

  • Certificate-based attestation validation: Verifies that the passkey was created on a genuine, trusted device (like a certified security key).

  • Hardware protection: Requires the passkey to be stored on secure device hardware, such as TPM or Secure Enclave. This is the same as the app sign-in policies requirement, but enforced for passkey enrollments and authentication.

  • FIPS compliant: Requires the authenticator to be compliant with Federal Information Processing Standards (FIPS).